BAD_ADDRESS in Windows 2008 DHCP Server

[tbird2340]

I have a scope of 150 addresses and it is constantly getting filled with BAD_ADDRESS which causes the scope to be full and not have any addresses to give out..

I've run the roque server check and there are none. I'll delete all the "BAD_ADDRESS" entries and within 10 minutes they will be back..

Looking in the DHCP log it has the router over and over like it's requesting an IP address??

10,08/17/12,00:27:47,Assign,192.168.1.163,main.abcinc.com,636973636F2D303031392E353630342E616163392D4769302F31,,1746141184,0,,,
13,08/17/12,00:27:47,Conflict,192.168.1.163,BAD_ADDRESS,,,0,6,,,

Some info:

Not a new network. I guess this issue has been happening for years (so she says).. She goes in every day and clears out the "BAD_ADDRESS" so users can get an address to get on the network..

Lease is limited to 1 day.

Scope is 192.168.1.100 - 192.168.1.250.. Today I found that there was a wireless access point (not doing DHCP) with a static address of 192.168.1.250 so I changed the scope to end at 1.249..

No other devices that I checked had DHCP enabled (checked the router, the switches (that I knew of), the WAP, and other servers).

There are static addresses for printers and servers and a few PC's.

There is an IP Phone VLAN but this DHCP server doesn't serve those. It does, however, have a scope option of "150 PHONE TFTP" that appears to be for Cisco Callmanager..

Server is on same subnet as clients.

 

[imagoon]

I would harbor a guess of: use has bridged their wireless to the internal nic and the DHCP server is seeing its own IP check and marking it bad. Had this at several customers.

9/10 this is because at home they want to share the work network with a Phone or are trying to use the laptop as a wireless AP at home.

 

[tbird2340]

I did see in DHCP the same computer name with two IPs and figured one was just on the wifi network and one was on the wired network (both subnet)..

I'm not sure how this would cause an issue though because I do this at work as well.

Thanks for the reply.

 

[Nothinman]

Can you ping the bad addresses? That's all Windows should be doing before handing out a lease, so if it's marking them bad it's getting a ping reply back.

 

[tbird2340]

No, the addresses aren't pingable..

 

[Nothinman]

Then you need to figure why the server thinks they are. Maybe install Wireshark on it and let it run the next time you clear out the bad addresses and see if it catches any clues.

 

[tbird2340]

I have installed and run wireshark on it.. It's really not leading me to anything.. I'll post a capture tomorrow.

 

[tbird2340]

Here's a wireshark screen.. I can provide the actual file if someone is willing to look at it..

 

[imagoon]

I really think you have a loop some place. Do you have wireless in the building? The duplicate frames with the same Transaction ID indicate it. If you do have wireless try unplugging it and seeing if the issue "automagically" goes away. If so someone bridged a wired and wireless adapter in their computer or some other form of a wireless loop.

 

[tbird2340]

They do have a Cisco Aironet 1130AG AP..

Also, in DHCP I see (2) workstations that have (2) IP addresses each. I'm assuming their wireless adapter has one and the physical has the other.. I don't see that as being an issue, right? I mean, at the office here I often get on the network with both my wifi and ethernet..

I'll have to contact them regarding taking down their wifi for a few..

Can you explain to me what you're thinking is the issue with the bridged adapter?

Thanks for the help.

 

[imagoon]

Windows can bridge network adapters, this is not the same as having 1 workstation with 2 addresses (one for the WLan and the other on LAN.) A bridge bonds the 2 network adapters together and makes them appear as one. Simple example: If you have 2 LAN connections and bridge them together, you could then plug a laptop in to port 2 and connect to the same network as the workstation. With wireless this results in a network loop when the wireless NIC connects to the AP and the cable is plugged in to the wall. The issue with the wireless is that the loop is often throttled by the fact that wireless is much slower and error prone than wired. This means the loop may not take the network down.

The issue is the DHCP servers conflict detection method can see the address it just assigned due to wireless latency. IE the broadcast goes out and the wired port sees it, responds and accepts that address and then sees the request come in again (via wireless) where the adapter announces it has that address causing the bad address issue.

Ways to fix it: Enable spanning tree and 90% of the time the wireless will get knocked off the network (port will go in to blocking) or the other 10% of the time the end users cable will get dropped. Most switches will tell you which STP token was received (includes the port ID) so you have the port to locate the user.

DHCP guard: Protects the ports from the loops but doesn't resolve the loop.

Give wireless another IP range entirely. A loop will cause odd issues like people getting IP address for the wired range (again DHCP Guard is really handy here) but it won't take the network down.

Hope this answers the question... I am bit brain dead this morning.

 

[tbird2340]

Thank you for the explanation..

I'm a little confused though.. Say PC1 has a bridged adapter.. It plugs in via ethernet and gets an address.. It then connects to the wifi and requests an address but the wired says it has it.. Wouldn't it just go to the next available and actually get the address?

I delete all the bad addresses and within minutes the pool of over 100 free addresses gets filled up with the bad_addresses.

 

[imagoon]

Thank you for the explanation..

I'm a little confused though.. Say PC1 has a bridged adapter.. It plugs in via ethernet and gets an address.. It then connects to the wifi and requests an address but the wired says it has it.. Wouldn't it just go to the next available and actually get the address?

I delete all the bad addresses and within minutes the pool of over 100 free addresses gets filled up with the bad_addresses.

Yes and no. In a bridge you have a cable loop, this means there are two paths to that adapter and 2 sets of broadcast frames appear. The first set the adapter accepts the IP on the second set of requests the adapter says "hey I have this address." The DHCP server will mark the address bad because it thinks a device out there has the IP and that IP is not in its internal list so it must have been assigned "somewhere else."

With wireless the second set are typically delayed due to latency / retransmits etc.

I would recommend that you go read about "broadcast storms" and what happens on a looped Ethernet network.

http://computer.howstuffworks.com/lan-switch13.htm

Just remember that wireless is lossy and has latency so tends to "control" the storm and not take the entire network down like a true cable loop would.

 

[tbird2340]

Also, in the DHCP server log, it shows the router doing the requesting.. Is that normal?

10,08/20/12,00:29:26,Assign,192.168.1.105,MainRouter.abc.com,636973636F2D303031392E353630342E616163392D4769302F31,,4246732800,0,,,
13,08/20/12,00:29:26,Conflict,192.168.1.105,BAD_ADDRESS,,,0,6,,,
10,08/20/12,00:29:30,Assign,192.168.1.107,MainRouter.abc.com,636973636F2D303031392E353630342E616163392D4769302F31,,4246732800,0,,,
13,08/20/12,00:29:30,Conflict,192.168.1.107,BAD_ADDRESS,,,0,6,,,
10,08/20/12,00:29:31,Assign,192.168.1.108,MainRouter.abc.com,636973636F2D303031392E353630342E616163392D4769302F31,,4246732800,0,,,
13,08/20/12,00:29:31,Conflict,192.168.1.108,BAD_ADDRESS,,,0,6,,,
10,08/20/12,00:29:32,Assign,192.168.1.109,MainRouter.abc.com,636973636F2D303031392E353630342E616163392D4769302F31,,4246732800,0,,,
13,08/20/12,00:29:32,Conflict,192.168.1.109,BAD_ADDRESS,,,0,6,,,
10,08/20/12,00:29:33,Assign,192.168.1.110,MainRouter.abc.com,636973636F2D303031392E353630342E616163392D4769302F31,,4246732800,0,,,
13,08/20/12,00:29:33,Conflict,192.168.1.110,BAD_ADDRESS,,,0,6,,,
10,08/20/12,00:29:34,Assign,192.168.1.111,MainRouter.abc.com,636973636F2D303031392E353630342E616163392D4769302F31,,4246732800,0,,,
13,08/20/12,00:29:34,Conflict,192.168.1.111,BAD_ADDRESS,,,0,6,,,
10,08/20/12,00:29:35,Assign,192.168.1.115,MainRouter.abc.com,636973636F2D303031392E353630342E616163392D4769302F31,,4246732800,0,,,
13,08/20/12,00:29:35,Conflict,192.168.1.115,BAD_ADDRESS,,,0,6,,,
10,08/20/12,00:29:36,Assign,192.168.1.116,MainRouter.abc.com,636973636F2D303031392E353630342E616163392D4769302F31,,4246732800,0,,,
13,08/20/12,00:29:36,Conflict,192.168.1.116,BAD_ADDRESS,,,0,6,,,
10,08/20/12,00:29:37,Assign,192.168.1.117,MainRouter.abc.com,636973636F2D303031392E353630342E616163392D4769302F31,,4246732800,0,,,
13,08/20/12,00:29:37,Conflict,192.168.1.117,BAD_ADDRESS,,,0,6,,,
10,08/20/12,00:29:38,Assign,192.168.1.118,MainRouter.abc.com,636973636F2D303031392E353630342E616163392D4769302F31,,4246732800,0,,,
13,08/20/12,00:29:38,Conflict,192.168.1.118,BAD_ADDRESS,,,0,6,,,
10,08/20/12,00:29:39,Assign,192.168.1.119,MainRouter.abc.com,636973636F2D303031392E353630342E616163392D4769302F31,,4246732800,0,,,
13,08/20/12,00:29:39,Conflict,192.168.1.119,BAD_ADDRESS,,,0,6,,,
10,08/20/12,00:29:40,Assign,192.168.1.120,MainRouter.abc.com,636973636F2D303031392E353630342E616163392D4769302F31,,4246732800,0,,,
13,08/20/12,00:29:40,Conflict,192.168.1.120,BAD_ADDRESS,,,0,6,,,
10,08/20/12,00:29:41,Assign,192.168.1.121,MainRouter.abc.com,636973636F2D303031392E353630342E616163392D4769302F31,,4246732800,0,,,
13,08/20/12,00:29:41,Conflict,192.168.1.121,BAD_ADDRESS,,,0,6,,,
10,08/20/12,00:29:42,Assign,192.168.1.125,MainRouter.abc.com,636973636F2D303031392E353630342E616163392D4769302F31,,4246732800,0,,,
13,08/20/12,00:29:42,Conflict,192.168.1.125,BAD_ADDRESS,,,0,6,,,
30,08/20/12,00:30:20,DNS Update Request,192.168.1.224,PC2.abc.com,,,0,6,,,
11,08/20/12,00:30:20,Renew,192.168.1.224,PC2.abc.com,001E4FDCEDAC,,3203546719,0,,,
32,08/20/12,00:30:20,DNS Update Successful,192.168.1.224,PC2.abc.com,,,0,6,,,
10,08/20/12,00:30:46,Assign,192.168.1.126,MainRouter.abc.com,636973636F2D303031392E353630342E616163392D4769302F31,,4263510016,0,,,
13,08/20/12,00:30:46,Conflict,192.168.1.126,BAD_ADDRESS,,,0,6,,,
10,08/20/12,00:30:47,Assign,192.168.1.148,MainRouter.abc.com,636973636F2D303031392E353630342E616163392D4769302F31,,4263510016,0,,,
13,08/20/12,00:30:47,Conflict,192.168.1.148,BAD_ADDRESS,,,0,6,,,
10,08/20/12,00:30:48,Assign,192.168.1.149,MainRouter.abc.com,636973636F2D303031392E353630342E616163392D4769302F31,,4263510016,0,,,
13,08/20/12,00:30:48,Conflict,192.168.1.149,BAD_ADDRESS,,,0,6,,,
14,08/20/12,00:30:48,Scope Full,192.168.1.0,,,,0,6,,,

 

[tbird2340]

And another question.. Is there anyway (wireshark, logs, etc) to find out what PC(s) (mac address) is / are causing this?

 

[Nothinman]

If the router's doing the requesting that means it has an "ip helper" (e.g. DHCP forwarding) enabled so the requests are really coming from the other interface.

 

[tbird2340]

I've looked in the router, switch, and ASA and can't find anything related to an IP helper.. I searched for "Help" in the configs of all three.. Nothing..

What I did find, may / may not be something, is on the router (which is what is in the DHCP logs over and over):

!
interface GigabitEthernet0/1
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address dhcp
ip inspect SDM_LOW out
ip virtual-reassembly
ip tcp adjust-mss 1452
no ip mroute-cache
duplex auto
speed auto
!

 

[Nothinman]

Then it looks like it's just the router asking for an address for that interface and the DHCP server going through the list to find the next truly free one and marking all of those that ping as bad until it finds one open. But it never gets to that point because all of the available addresses in that pool ping.

 

[tbird2340]

But none of the addresses ping.. They are all open.. I still think that may be the issue because I'm not sure why that interface would be requesting DHCP at all..

 

[imagoon]

Are you doing DHCP in other scopes? IE the DHCP server is 192.168.1.10 but you are giving ips to 10.10.10.0/24? Whatever MainRouter.abc.com is it seems to be requesting addresses. It might just be a casualty...

 

[tbird2340]

I believe I got it.. I had one of our network admins change that interface to no ip instead of DHCP and the bad_address hasn't appeared back, yet..

Thanks again for all the help fellas..

 

[Nothinman]

I believe I got it.. I had one of our network admins change that interface to no ip instead of DHCP and the bad_address hasn't appeared back, yet..

Thanks again for all the help fellas..

That may stop the request(s) from the router from causing the DHCP server to ping all of them, but it doesn't explain why the DHCP server thinks they're all responding to ping.

 

[tbird2340]

That may stop the request(s) from the router from causing the DHCP server to ping all of them, but it doesn't explain why the DHCP server thinks they're all responding to ping.

As long as all the addresses aren't taken up and users can get on they'll be happy..

What are you suggesting on the second part?

 

[Nothinman]

As long as all the addresses aren't taken up and users can get on they'll be happy..

What are you suggesting on the second part?

If a DHCP request from a PC comes in won't it cause the same thing to happen?

 

[tbird2340]

The DHCP server would hand out addresses to devices when it had addresses to give out.. The problem was the BAD_ADDRESS would fill up all available IPs.. When they were cleared out the machine(s) were able to get on..

The fact that the DHCP server logs had the router as the device doing the requesting and then following up with the bad_address in the log makes me believe it was the router, and only the router, that was the issue..

Also the fact that the subinterface on the router had DHCP enabled but didn't have an IP address also backs up what I'm thinking was that it kept trying to request and address but didn't get one (which matches up with the logs).

The router itself wasn't forwarding requests via IP helper so I think just that sub interface being setup as DHCP was the issue.. Why Windows wouldn't give it one and instead marked all those as bad I have no idea and would love an explanation.